High

DATE	CVE	VULNERABILITY TITLE	RISK
2022-12-05	CVE-2022-35259	XML Injection (aka Blind XPath Injection) vulnerability in Ivanti Endpoint Manager XML Injection with Endpoint Manager 2022. local low complexity ivanti CWE-91	7.8
2022-08-12	CVE-2021-44720	Use of Hard-coded Credentials vulnerability in multiple products In Ivanti Pulse Secure Pulse Connect Secure (PCS) before 9.1R12, the administrator password is stored in the HTML source code of the "Maintenance > Push Configuration > Targets > Target Name" targets.cgi screen. network low complexity pulsesecure ivanti CWE-798	7.2
2022-04-11	CVE-2022-22572	Unspecified vulnerability in Ivanti Incapptic Connect A non-admin user with user management permission can escalate his privilege to admin user via password reset functionality. network low complexity ivanti	8.8
2021-12-07	CVE-2021-42127	Deserialization of Untrusted Data vulnerability in Ivanti Avalanche A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code execution via Data Repository Service. network low complexity ivanti CWE-502	7.5
2021-12-07	CVE-2021-42128	Unspecified vulnerability in Ivanti Avalanche An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 using inforail Service allows Privilege Escalation via Enterprise Server Service. network low complexity ivanti	7.5
2021-11-19	CVE-2021-22965	Resource Exhaustion vulnerability in multiple products A vulnerability in Pulse Connect Secure before 9.1R12.1 could allow an unauthenticated administrator to causes a denial of service when a malformed request is sent to the device. network low complexity pulsesecure ivanti CWE-400	7.5
2021-08-16	CVE-2021-22934	Classic Buffer Overflow vulnerability in multiple products A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator or compromised Pulse Connect Secure device in a load-balanced configuration to perform a buffer overflow via a malicious crafted web request. network low complexity pulsesecure ivanti CWE-120	7.2
2021-08-16	CVE-2021-22935	Command Injection vulnerability in multiple products A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform command injection via an unsanitized web parameter. network low complexity pulsesecure ivanti CWE-77	7.2
2021-08-16	CVE-2021-22937	Unrestricted Upload of File with Dangerous Type vulnerability in multiple products A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform a file write via a maliciously crafted archive uploaded in the administrator web interface. network low complexity pulsesecure ivanti CWE-434	7.2
2021-08-16	CVE-2021-22938	Command Injection vulnerability in multiple products A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform command injection via an unsanitized web parameter in the administrator web console. network low complexity pulsesecure ivanti CWE-77	7.2